Despite the negative and wide spread publicity around baby monitor hacks, sadly you shouldn’t expect an end to baby cam hacker stories any time soon. Today Rapid7 publicly disclosed 10 new vulnerabilities in baby monitors made by nine different manufacturers. On a grading scale, eight of the 10 Internet-connected baby monitors scored an “F” and one received a “D” grade.
If you were curious about some redactions in the slides during Mark Stanislav’s “The Hand that Rocks the Cradle: Hacking IOT Baby Monitors” presentation at Def Con’s IOT Village, it was due to several new vulnerabilities he uncovered. Stanislav and Tod Beardsley have published a hacking IOT case study on baby monitors (pdf).
Rapid7 addressed the 10 new flaws. The vulnerabilities were responsibly disclosed, at least to the vendors that could be contacted, in July. The researchers reported the flaws to CERT and disclosed their findings today at the High Technology Crime Investigation Association (HTCIA) conference.
The iBaby monitor M6, which currently sells for $199.95, would connect to the cloud to store video recordings. The server could be accessed if the attacker knew the camera’s serial number. The ibabycloud authentication is now non-functional. The researchers wrote:
The web site ibabycloud.com has a vulnerability by which any authenticated user to the ibabycloud.com service is able to view camera details for any other user, including video recording details, due to a direct object reference vulnerability.
Rapid7 suggested mitigations: The “attack is more difficult without prior knowledge of the camera's serial number, as all logins are disabled on the ibabycloud.com website. Attackers must, therefore, acquire specific object IDs by other means, such as sniffing local network traffic. In order to avoid local network traffic cleartext exposure, customers should inquire with the vendor about a firmware update, or cease using the device.”
iBaby M3S, which currently sells for $169.95, ships with hardcoded credentials of admin for username and password. Mitigations: Customers are advised to ask the vendor about a firmware update to disable those credentials.
Philips B120/37, which currently sells for between $199.76 or $82.99 for the discontinued model, had several vulnerabilities. The device shipped with “hardcoded and statically generated credentials which can grant access to both the local web server and operating system. The operating system ‘admin’ and ‘mg3500’ account passwords are present due to the stock firmware used by this camera, which is used by other cameras on the market today.”
Next, the “web service used on the backend of Philips' cloud service to create remote streaming sessions is vulnerable to reflective and stored XSS.” Besides session hijacking, the researchers reported the third vulnerability involved “the method for allowing remote viewing.” It “uses an insecure transport, does not offer secure streams protected from attackers, and does not offer sufficient protection for the camera's internal web applications.”
This model has been discontinued.
Rapid7 suggested mitigations: “In order to disable the hard-coded credentials, customers should inquire with the vendor about a firmware update. UART access can be limited by not allowing untrusted parties physical access to the device. A vendor-provided patch should disable local administrative logins, and in the meantime, end-users should secure the device’s housing with tamper-evident labels. In order to avoid the XSS and cleartext streaming issues with Philips' cloud service, customers should avoid using the remote streaming functionality of the device and inquire with the vendor about the status of a cloud service update.”
Philips was the only vendor that had an established protocol for handling vulnerabilities. Some vendors did not reply to the researchers and other dared to question their motives in disclosing vulnerabilities at all.
Summer Infant Baby Zoom 28630, which currently sells for $199.99, has two flaws. “An authentication bypass allows for the addition of an arbitrary account to any camera, without authentication.” The second, according to Rapid7, is “an authenticated, regular user can access an administrative interface that fails to check for privileges, leading to privilege escalation.”
Rapid7 suggested mitigations: “In order to avoid exposure to the authentication bypass and privilege escalation, customers should use the device in a local network only mode, and use egress firewall rules to block the camera from the Internet. If Internet access is desired, customers should inquire about an update to Summer Infant's cloud services.”
Lens LL-BC01W, which currently sells for $59.99, ships with hardcoded credentials that are accessible from a UART interface and “grant access to the underlying operating system, and via the local web service, giving local application access via the web UI. Due to weak filesystem permissions, the local OS ‘admin’ account has effective ‘root’ privileges.”
Mitigations: Like the others, contact the vendor about a firmware update. However there is no vendor page, no registered domain, and no known manufacturer…just an Amazon page, so that probably means to trash the device.
Remember TRENDnet which provided such pleasure to peeping Toms that the FTC slapped it for lax security? Well believe it or not, even after all that, Rapid7 reported that TRENDnet WiFi Baby Cam TV-IP743SIC, which currently sells for $69.89, ships with the hardcoded credentials of 'root' for username and 'admin' for password. Migitations are the same as the others, ask the vendor for a firmware update.
The researchers also tested the $259.99 WiFiBaby WFB2015 and the $204.60 Withing WBP01, but pointed out that Amazon sells 17 different IoT baby monitors. All of the devices tested had “several common security issues.” Rapid7 broke down the flaws into categories of baby monitors that can exploited from the Internet, from the local network, or from having physical access to the device.